Personal Information Leakage During Password Recovery of Internet Services

In this paper we examine the standard password recovery process of large Internet services such as Gmail, Facebook, and Twitter. Although most of these services try to maintain user privacy, with regard to registration information and other personal information provided by the user, we demonstrate that personal information can still be obtained by unauthorized individuals or attackers. This information includes the full (or partial) email address, phone number, friends list, address, etc. We examine different scenarios and demonstrate how the details revealed in the password recovery process can be used to deduct more focused information about users.

💡 Research Summary

The paper investigates the privacy risks inherent in the password recovery mechanisms of major Internet services such as Gmail, Facebook, Twitter, PayPal, Microsoft, and Yahoo. While these services aim to help users regain access to their accounts, the authors demonstrate that the recovery process often discloses partial personal data—such as fragments of email addresses, the last two or three digits of phone numbers, and subsets of a user’s friend network—that can be exploited by an attacker.

The authors first model the recovery workflow into four generic steps: (1) entering a username or email, (2) selecting a recovery option, (3) proceeding through the recovery flow, and (4) exploring alternative options if available. During steps 3 and 4 they record every piece of user‑specific information displayed on the screen. Their empirical survey shows that Facebook reveals parts of the alternative email address and the last three digits of the phone number; Gmail shows the first and last character of the alternate email username plus part of the domain, together with the last two to three digits of the phone number; PayPal discloses the last three digits of the phone number; Twitter and Yahoo expose small fragments of the email address and the last two digits of the phone number respectively. Although each leak appears minimal in isolation, the authors argue that an adversary can combine them with publicly known facts (e.g., a user’s name or primary email) to reconstruct a detailed profile.

To illustrate the practical impact, the paper presents a step‑by‑step attack scenario against a fictitious user, John Smith. Starting with Facebook’s recovery, the attacker learns that Smith’s alternate email follows a pattern ending in “.edu,” suggesting an academic affiliation. By examining the three groups of friends that Facebook presents for verification, the attacker infers that Smith is likely a university student, estimates his age (18‑22), identifies his probable institution (Furman University), and even guesses his hometown (Raleigh, North Carolina). The attacker then uses Gmail’s recovery to obtain the last two digits of Smith’s phone number, combines this with the known area code (919) and narrows the possible numbers to 100,000 candidates. By cross‑referencing public phone directories, the attacker can quickly pinpoint the exact number, completing a near‑complete personal profile.

Beyond social‑network attacks, the authors describe two additional vectors: (A) an SMS‑based recovery attack where a malicious Android app with SMS‑reading permissions silently intercepts verification codes sent to the user’s phone, and (B) an email‑based attack where a malicious app with mail‑reading permissions captures verification emails. In both cases, the attacker can complete the password reset without the user’s awareness, gaining full account control.

The related‑work section surveys prior studies on password recovery, security questions, token‑based authentication, and human‑relationship‑based verification, highlighting that many of these mechanisms suffer from similar leakage or social‑engineering weaknesses. The paper concludes that password recovery designs must adhere to a “minimum‑information‑exposure” principle, incorporate multi‑factor authentication, and limit the amount of user data displayed during recovery. Failure to do so not only endangers individual privacy but also creates legal liabilities for service providers.

Overall, the study provides a comprehensive, evidence‑based assessment of how seemingly innocuous recovery steps can be weaponized to extract personal data, underscoring the need for stronger, privacy‑preserving recovery protocols across the Internet ecosystem.